just another infosec blog

Disposable emails

Everybody hates spam. I do. You do (if you don’t I’ll force you to). Waking up to a inbox full of spam from a company you once registered your email address to eons ago is a drag. Especially from those companies offering “free” white papers. Today I’ll look into ways to combat this by looking at a service offering disposable email addresses.

Mailinator

Mailinator is a service offering disposable email addresses. It’s a great service that does not require that an account or mailbox with the recipient’s name be created beforehand. It’s dead simple to use. This is the reason I prefer it. Whenever you sign up for anything just enter an address ending in “@mailinator.com”. Mailinator will automatically create your inbox on the very first email received.

Reading emails

To better illustrate this I sent an email to “startrekcoffeeshop@mailinator.com using anonymousemail.me. The receiving address had not been created before sending. To check received mail, I just visit the Mailinator website and enter the recipient name. No password required!

Mailinator – front page

After “logging” in I see that the email I just sent has been delivered to my inbox.

Notice that Mailinator doesn’t offer to reply or send emails. Some might say this is a complete bummer. Perhaps. The way I use it, it doesn’t matter since it’s purely for receiving purposes.

Reading someone elses inbox

If you expect “your” inbox to be private you are dead wrong. It isn’t. This isn’t unique to Mailinator since most services like has the same features. While researching and collecting screenshots I stumbled over some already made inboxes.

Mailinator – reading someone else’s inbox 1

Judging from the screenshot above someone have set up a spam trap using this service. Most likely, this inbox is used by several people.

Mailinator – reading someone else’s inbox 2

Just for the kick of it, I opened up an inbox referencing Apple computers, or so I imagine. I even accidentally opened up an inbox containing usernames and passwords to several social media and dating sites. It could be I stumbled across faked information – or … I decided to leave out the screenshots for that one.

Other services

Mailinator is just one service offering disposable emails. Here’s a small list of alternatives:

Most services doesn’t bring that much new to the table. Some services offers the address to live for a brief time before being discarded. Typically these also offer auto generated addresses for you to use. Some may say this’ll increase privacy – I think you should regard these services as being insecure to begin with.

You may ask why I focus on alternatives? The reason is that many portals and such are able to sniff out these addresses and block them. Typically I’ve found that websites offering white papers does this. That’s when a list of alternatives comes in handy.

Pros

There are many uses of said services, not just for downloading white papers. Here’s a few pros for using disposable emails:

Anonymity! No one knows who owns the address.

Safeguarding your real inbox from spam.

Works great when you need to log in to a webpage to evaluate it or to get content.

Less muck to worry about.

Cons

There are a plenty of cons using disposable addresses. Here’s a few

Some companies aren’t overly happen about accepting disposable addresses, thus they tend to block sign ups. The reason for this is simple. Any person signing up is a potential sales lead and since these addresses are bogus these are considered cold leads. No potential for earning a buck.

Some of the services offer you to define your own address. This means that any other person out there can do the same. There is a real chance that someone can hack into your inbox by just entering the same address. On second thought, even the auto generated ones can be hacked relatively easy.

Password resets can be a bitch since the email address may no longer exist.

You are really opening up your inbox to the world.

Advice

Be smart when using disposable emails. Here’s some advice:

Don’t reveal yourself in the address. Use garbled information or something just silly (like “startrekcoffeeshop”)

Delete any emails once read, if the service allows it.

Don’t sign up to social media sites using such addresses. I accidentally found the username and password belonging to someone when I made the screenshots in this post. I also found username and passwords to a dating site.

Remember your inbox is most likely open for the entire world to read!

Keep sensitive data out of correspondence!

I enjoyed making this blog post! If you enjoyed reading it, please share it. Don’t hesitate to contact me on Twitter (@reedphish)!